Re: Please Help

[Kevin Oberman]

> Date: Thu, 17 Feb 2011 11:45:06 -0500
> From: "Lightner, Jeff" 
> Sender: bind-users-bounces+oberman=es@lists.isc.org
> 
> IIRC the U.S. Government last year or the year before mandated all their
> sites be DNSSEC compliant by early this year.  Maybe it is just a sign
> they are actually doing it.

Yes, they are. As of the last report I have received, something over 50%
of all .gov zones are now signed with the DS records installed in the
.gov zone. Still quite a ways to go but substantial progress has been
made and people with broken firewall are starting to notice.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

> -Original Message-
> From: bind-users-bounces+jlightner=water@lists.isc.org
> [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
> Of Ryan Novosielski
> Sent: Thursday, February 17, 2011 9:54 AM
> To: Xiaoxu Huang
> Cc: bind-users@lists.isc.org
> Subject: Re: Please Help
> 
> Glad to hear it was a help.
> 
> Does anyone happen to know if anything changed for .gov addresses just
> last week? This problem appears to have come out of the clear blue sky
> (not that there wasn't plenty of warning) so I have to assume that
> something was just activated.
> 
> On 02/17/2011 09:47 AM, Xiaoxu Huang wrote:
> > We have checked list archives and our side has increased the allowed
> DNS
> > packet size. Now we are fine to get correct answer for **.gov.
> > 
> > Thanks for help and Best Regards,
> > 
> > Xiao
> > 2/17/2011  
> >   
> > 
> > -Original Message-
> > From: bind-users-bounces+xhuang=graphnet@lists.isc.org
> > [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On
> Behalf Of
> > Ryan Novosielski
> > Sent: Wednesday, February 16, 2011 5:47 PM
> > To: bind-users@lists.isc.org
> > Subject: Re: Please Help
> > 
> > I asked this same question this week. Check the list archives.
> > 
> > On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
> >> From couple of our DNS servers, we are failed to get correct DNS
> answer
> >> like followings:
> > 
> >> 1) From server A
> > 
> >> # nslookup
> > 
> >> Default Server:  localhost
> > 
> >> Address:  127.0.0.1
> > 
> > 
> > 
> >>> www.nyc.gov
> > 
> >> Server:  localhost
> > 
> >> Address:  127.0.0.1
> > 
> > 
> > 
> >> *** localhost can't find www.nyc.gov: Non-existent host/domain#
> nslookup
> > 
> > 
> > 
> >> 2) From server B:
> > 
> >> # nslookup
> > 
> >>> www.nyc.gov
> > 
> >> ;; connection timed out; no servers could be reached
> > 
> > 
> > 
> >> 3) Both servers run bind-9.7.2-P2
> > 
> > 
> > 
> >> Can any one help?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.6.3 crashing on Freebsd 7.3

[Carlos Vicente]

Just had one of our authoritative servers crash with a similar error:

17-Feb-2011 10:28:18.814 general: critical: rbtdb.c:1566:
INSIST(((unsigned int)((&(node)->references)->refs)) == 0 && node->data
== ((void *)0)) failed
17-Feb-2011 10:28:18.838 general: critical: exiting (due to assertion
failure)

Just before that, the logs show:

7-Feb-2011 10:28:18.770 security: info: client 204.194.237.19#24246:
query (cache) 'cf._dns-sd._udp.0.0.171.184.in-addr.arpa/TXT/IN' denied
17-Feb-2011 10:28:18.780 security: info: client 204.194.237.19#48606:
query (cache) 'lb._dns-sd._udp.0.0.171.184.in-addr.arpa/PTR/IN' denied
17-Feb-2011 10:28:18.812 security: info: client 204.194.237.19#43987:
query (cache) 'cf._dns-sd._udp.0.0.171.184.in-addr.arpa/TXT/IN' denied

Not sure if it's related.

This is:

# named -V
BIND 9.7.2-P3-RedHat-9.7.2-4.P3.uopel5 built with
'--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu'
'--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
'--disable-static' '--disable-openssl-version-check'
'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu'
'target_alias=i386-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables' 'CPPFLAGS= -DDIG_SIGCHASE' 'CXXFLAGS=-O2 -g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables' 'FFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables'

# uname -a
Linux  2.6.18-128.1.1.el5 #1 SMP Mon Jan 26 13:59:00 EST 2009 i686 i686 i386
GNU/Linux

Any information would be much appreciated.

Thanks,

cv

On Mon, Feb 14, 2011 at 5:09 AM, Joshua Frugé  wrote:

>
>
> On 02/11/2011 21:21, Terry. wrote:
>
>> 2011/2/11 Joshua Frugé:
>>
>>> running bind 9.6.3 installed from ports on Freebsd 7.3 (amd64)
>>>
>>> Getting this error in my local log
>>>
>>> 10-Feb-2011 21:12:13.711 general: rbtdb.c:1506: INSIST(((unsigned
>>> int)((&(node)->references)->refs)) == 0&&  node->data == ((void *)0))
>>> failed
>>>
>>>  could you try to compile BIND from the source rather than the ports
>> installation?
>>
>> Regards.
>>
>>  I had to revert back to 9.6.2.  Going to try to replicate the issue on a
> test server and get more info.
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Please Help

[Lightner, Jeff]

IIRC the U.S. Government last year or the year before mandated all their
sites be DNSSEC compliant by early this year.  Maybe it is just a sign
they are actually doing it.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Ryan Novosielski
Sent: Thursday, February 17, 2011 9:54 AM
To: Xiaoxu Huang
Cc: bind-users@lists.isc.org
Subject: Re: Please Help

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glad to hear it was a help.

Does anyone happen to know if anything changed for .gov addresses just
last week? This problem appears to have come out of the clear blue sky
(not that there wasn't plenty of warning) so I have to assume that
something was just activated.

On 02/17/2011 09:47 AM, Xiaoxu Huang wrote:
> We have checked list archives and our side has increased the allowed
DNS
> packet size. Now we are fine to get correct answer for **.gov.
> 
> Thanks for help and Best Regards,
> 
> Xiao
> 2/17/2011  
>   
> 
> -Original Message-
> From: bind-users-bounces+xhuang=graphnet@lists.isc.org
> [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On
Behalf Of
> Ryan Novosielski
> Sent: Wednesday, February 16, 2011 5:47 PM
> To: bind-users@lists.isc.org
> Subject: Re: Please Help
> 
> I asked this same question this week. Check the list archives.
> 
> On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
>> From couple of our DNS servers, we are failed to get correct DNS
answer
>> like followings:
> 
>> 1) From server A
> 
>> # nslookup
> 
>> Default Server:  localhost
> 
>> Address:  127.0.0.1
> 
> 
> 
>>> www.nyc.gov
> 
>> Server:  localhost
> 
>> Address:  127.0.0.1
> 
> 
> 
>> *** localhost can't find www.nyc.gov: Non-existent host/domain#
nslookup
> 
> 
> 
>> 2) From server B:
> 
>> # nslookup
> 
>>> www.nyc.gov
> 
>> ;; connection timed out; no servers could be reached
> 
> 
> 
>> 3) Both servers run bind-9.7.2-P2
> 
> 
> 
>> Can any one help?
> 
> 
> 
>> Thanks and Best Regards,
> 
> 
> 
>> Xiao
> 
>> 2/16/2011
> 
> 
> 
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 

- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La
otcAoJLIkine7oyqXxix3wKRHReUa5F8
=B/pX
-END PGP SIGNATURE-
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: $GENERATE for /8 networks

[Eivind Olsen]

> Is there a way I can use $GENERATE to generate PTR records for the whole
> of 10.0.0.0/8 in one line?

Disclaimer: I haven't ever really bothered with $GENERATE. But by reading
the BIND 9.7 ARM, it does seem to be aimed at doing the job for /24
segments, not /8.

Pre-generating a static list of PTR records for a /8 isn't too tricky, by
using any scripting language like Perl for example, although the generated
file will probably be somewhat large. Here's a mockup of such a script, to
give an example:

#!/usr/bin/env perl

$network = "10";
for ($bnet = 0; $bnet < 256; $bnet++) {
  for ($cnet = 0; $cnet < 256; $cnet++) {
for ($dnet = 0; $dnet < 256; $dnet++) {
  print "${dnet}.${cnet}.${bnet} PTR
${network}-${bnet}-${cnet}-${dnet}.mynetwork.\n";
}
  }
}

(no, I'll not pretend it's nice code or anything)

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: $GENERATE for /8 networks

[Alan Clegg]

On 2/17/2011 10:20 AM, Mark Watts wrote:
> 
> Is there a way I can use $GENERATE to generate PTR records for the whole
> of 10.0.0.0/8 in one line?

No.  There is not.

I must ask -- do you REALLY need to fill all of a /8?  What is the
requirement for this?

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

$GENERATE for /8 networks

[Mark Watts]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Is there a way I can use $GENERATE to generate PTR records for the whole
of 10.0.0.0/8 in one line?

Mark.

- -- 
Mark Watts BSc RHCE
Senior Systems Engineer, MSS Secure Managed Hosting
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1dPMIACgkQBn4EFUVUIO00QwCghogdCdbk1PUctY+DttSZTJhd
iFMAnj30NgUq1cmVULNMTa3eZ+g1GHs6
=nG8/
-END PGP SIGNATURE-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Please Help

[Ryan Novosielski]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glad to hear it was a help.

Does anyone happen to know if anything changed for .gov addresses just
last week? This problem appears to have come out of the clear blue sky
(not that there wasn't plenty of warning) so I have to assume that
something was just activated.

On 02/17/2011 09:47 AM, Xiaoxu Huang wrote:
> We have checked list archives and our side has increased the allowed DNS
> packet size. Now we are fine to get correct answer for **.gov.
> 
> Thanks for help and Best Regards,
> 
> Xiao
> 2/17/2011  
>   
> 
> -Original Message-
> From: bind-users-bounces+xhuang=graphnet@lists.isc.org
> [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of
> Ryan Novosielski
> Sent: Wednesday, February 16, 2011 5:47 PM
> To: bind-users@lists.isc.org
> Subject: Re: Please Help
> 
> I asked this same question this week. Check the list archives.
> 
> On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
>> From couple of our DNS servers, we are failed to get correct DNS answer
>> like followings:
> 
>> 1) From server A
> 
>> # nslookup
> 
>> Default Server:  localhost
> 
>> Address:  127.0.0.1
> 
> 
> 
>>> www.nyc.gov
> 
>> Server:  localhost
> 
>> Address:  127.0.0.1
> 
> 
> 
>> *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup
> 
> 
> 
>> 2) From server B:
> 
>> # nslookup
> 
>>> www.nyc.gov
> 
>> ;; connection timed out; no servers could be reached
> 
> 
> 
>> 3) Both servers run bind-9.7.2-P2
> 
> 
> 
>> Can any one help?
> 
> 
> 
>> Thanks and Best Regards,
> 
> 
> 
>> Xiao
> 
>> 2/16/2011
> 
> 
> 
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 

- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La
otcAoJLIkine7oyqXxix3wKRHReUa5F8
=B/pX
-END PGP SIGNATURE-
<>___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Please Help

[Xiaoxu Huang]

We have checked list archives and our side has increased the allowed DNS
packet size. Now we are fine to get correct answer for **.gov.

Thanks for help and Best Regards,

Xiao
2/17/2011  
  

-Original Message-
From: bind-users-bounces+xhuang=graphnet@lists.isc.org
[mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of
Ryan Novosielski
Sent: Wednesday, February 16, 2011 5:47 PM
To: bind-users@lists.isc.org
Subject: Re: Please Help

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I asked this same question this week. Check the list archives.

On 02/16/2011 05:24 PM, Xiaoxu Huang wrote:
> From couple of our DNS servers, we are failed to get correct DNS answer
> like followings:
> 
> 1) From server A
> 
> # nslookup
> 
> Default Server:  localhost
> 
> Address:  127.0.0.1
> 
>  
> 
>> www.nyc.gov
> 
> Server:  localhost
> 
> Address:  127.0.0.1
> 
>  
> 
> *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup
> 
>  
> 
> 2) From server B:
> 
> # nslookup
> 
>> www.nyc.gov
> 
> ;; connection timed out; no servers could be reached
> 
>  
> 
> 3) Both servers run bind-9.7.2-P2
> 
>  
> 
> Can any one help?
> 
>  
> 
> Thanks and Best Regards,
> 
>  
> 
> Xiao
> 
> 2/16/2011
> 
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1cU/8ACgkQmb+gadEcsb5siQCfePHtptnoSYkoDpw5ge4eRYjE
EdkAni7xiaBkebYvOR4MpKVmX/jpcOb0
=zWSH
-END PGP SIGNATURE-


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users